ONC isn't protecting patient data, OIG finds

In two new separate reports, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) raises critical red flags over current attempts to protect electronic health records (EHRs) and health data.

The reports, which focus on how HIPAA security arrangements are being supported, point out problems in two HHS units: the Office for Civil Rights, which enforces the HIPAA security and privacy rules, and the Office of the National Coordinator (ONC) for Health Information Technology, which has oversight of the HITECH Act EHR incentive program.

Concerning the former, OIG said audits of seven sample hospitals found 151 vulnerabilities--of which 124 were categorized as high impact--in the systems and controls intended to protect electronic personal health information.

These vulnerabilities placed the "confidentiality, integrity, and availability" of the data at risk, OIG said. Outsiders or employees at some hospitals could have accessed--and at one hospital did access--systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.

OIG said CMS's oversight and enforcement actions were not sufficient to ensure that covered entities--such as hospitals-- had HIPAA security controls in place and were operating as intended to protect electronic personal health information. This left the data "vulnerable to attack and compromise."

Regarding the latter issue, the OIG found that while interoperability specifications and current rules did include features necessary for securely passing data between systems, ONC did not have standards that included general IT security controls. That issue, OIG said, needs to be addressed to ensure a secure environment for health data.

Controls that need to be addressed, according to OIG, include: encrypting data stored on mobile devices, such as compact disks and thumb drives; requiring two-factor authentication when remotely accessing a health IT system; and patching operating systems of computer systems that process and store EHRs.

For more information:
- read the OIG report auditing information technology security
- here's the OIG report providing a review of HIPAA
- check out the Associated Press article
- read the Health Data Management article

Related Articles:

HIPAA security breaches about to cost more thanks to HITECH
HIT administrators in for rough ride under tough new HIPAA rules
OIG eyes 2011 health IT initiatives